The ghost in the system

Hackers will typically look for the easiest and quietest route to establish a foothold in an organisation. While high-profile ransomware attacks make news headlines, another lesser known method is through hacking user and service accounts which are no longer in use. They don’t want to draw attention to themselves and “ghost users” – aka, stale accounts -- provide the perfect route in.

We spoke with Matt Lock, Director of Sales Engineers at Varonis, about the risks posed by these stale accounts, why they’re a rich target for exploitation and the importance of understanding account behaviour in order to spot malicious activity.

A recent report highlighted that across 80 organisations, an average of 26% of all accounts were those of ‘stale enabled users’. Why are organisations failing to close these accounts as users leave or move around the company?

A high proportion of stale accounts is often the result of a lack of communication between the IT team and other departments. Whilst IT can implement changes, they’re reliant on information from others – such as HR – to ensure accounts are deactivated.

Visibility and information overload are other challenges to overcome. It’s easy enough to run an Active Directory script to highlight the accounts which haven’t been accessed for a pre-determined period of time, but already over-stretched departments may not have the resources to prioritise the task of deactivating the accounts.

Why do these stale accounts present an attractive target for exploitation? Stale accounts by their very nature are those accounts which are no longer needed, so any activity around these typically goes unnoticed. This is what makes them very simple and easy targets when it comes to accessing sensitive information and cause disruption.

From an external perspective, it’s relatively easy for an attacker to find the ghosts on the network, often through social engineering. It may take a bit of background work but is very simple to build a picture of who has recently left an organisation, especially if a company has a bad track record in managing their accounts. It’s usually also not that difficult to guess the format and structure of user accounts.

There is also the matter of the dark web – many stolen credentials are available online for a price. A person who has left a company won’t bother changing their password, so it stands to reason that some of the credentials will still be valid and allow an attacker access into the system.

What are the risks posed by accounts which may not have been accessed for several months, but which still have active access permissions?

These ‘ghost user’ accounts lie dormant, going unnoticed day to day, yet still provide access to systems and data. Stale user accounts are a great way for hackers to ‘test the water’ without generating any alerts. They can also be used to gain a foothold and move around in an organization.

If employees have left the company, they may be tempted to check whether their accounts are still enabled. But what if an employee left on bad terms? They could access and steal any information they wanted and the company would be none the wiser.

Now imagine what would happen if a senior-level staff member with access to a wide range of sensitive information leaves the organization. A hacker could potentially use that individual’s account to gain access to valuable intellectual property, employee PII, financial documentation and other information.

Why are service accounts also considered high risk?

A lot of the stale accounts we see are also service accounts. These are the accounts used by system services such as web servers, mail transport and databases, and tend to have far less governance than user accounts. Service accounts are typically also privileged accounts and may have access to more sensitive data as well as open access to all the files on the network.

Due to the nature of what they are, we often see service accounts being reused multiple times, increasing the security risk. There are ways to lock down these accounts to ensure they only hold a certain level of access but with the lack of governance, they are typically overlooked.

Why is it important to understand account behaviour when it comes to spotting malicious activity?

Unless you have data owners and business leaders who regularly ‘re-certify’ user accounts – as in, confirming that all active user accounts should remain active and disable those which shouldn’t – it’s very important to understand account behaviour. That is, understanding how all accounts interact within the company to get access to applications and data.

If you understand what is normal and typical account behaviour, you’re in a much better position to be able to spot when accounts of certain types, of certain privileges, are starting to behave in a way they don’t typically. For example, are they accessing information they don’t normally access? Or why is a service account now accessing data which is potentially sensitive and could result in a loss of IP?

With GDPR on the horizon, what should organisations be doing to counteract the risks associated with ghost and stale accounts?

Our advice is straightforward: start taking control now. First, define where your data is, then examine user behaviour to understand the flow of data within the organisation, how it’s used and who needs access to it. Then it’s about putting in place defences; define who has access to files and develop strategies to dispose of any stale data that isn’t needed. Data access should be governed by a ‘least privilege’ model in which only those that ‘need to know’ have access. The good news is that there are now ways to automate the management of access rights and permissions, saving time and improving efficiencies, so that these processes need not be a management burden for IT teams.

How can automation contribute to the identification of stale user accounts and removing them?

Identifying ghost users, especially as an organisation grows in size, takes time and is often considered as an afterthought. Automation helps remove the burden of this very time consuming, manual task without requiring any additional manpower. Automation can also make identifying stale user accounts part of an ongoing “check-up” to ensure your IT environment is more manageable and less vulnerable to attack.